Skip to content
Trivy Backend Vulnerability Scan

RDFBROWSER-494 - Trivy github action #8

Sign in to view logs

RDFBROWSER-494 - Trivy github action

RDFBROWSER-494 - Trivy github action #8

Workflow file for this run

.github/workflows/trivy-scan-backend.yml at 0bc7592
name: Trivy Backend Vulnerability Scan
on:
pull_request:
branches:
- develop
- master
workflow_dispatch: # Allows manual runs from the GitHub UI
jobs:
backend-trivy-scan:
runs-on: ubuntu-latest
steps:
# Checkout the pull request code
- name: Checkout code
uses: actions/checkout@v3
# Set up Java 17 for the environment
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'adopt'
# Install Trivy if not cached
- name: Install Trivy
run: |
TRIVY_LATEST_VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name)
wget https://github.com/aquasecurity/trivy/releases/download/${TRIVY_LATEST_VERSION}/trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb
sudo dpkg -i trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb
# Run Gradle lockfile updates
- name: Run Gradle dependencies
run: |
cd web; ./gradlew dependencies --write-locks
# Scan the backend gradle.lockfile
- name: Run Trivy scan for gradle.lockfile
id: trivy-scan-java
run: |
trivy fs web/gradle.lockfile --format json --output reportJava.json
# Check for CRITICAL vulnerabilities in the Java scan
- name: Check vulnerabilities in Java
id: check-vulns-java
run: |
vuln_count=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' reportJava.json)
echo "Java CRITICAL vulnerability count: $vuln_count"
if [ "$vuln_count" -gt 0 ]; then
echo "CRITICAL vulnerabilities found in gradle.lockfile!"
exit 1
else
echo "No CRITICAL vulnerabilities found in gradle.lockfile."
fi
# Clean up lockfile after scan
- name: Clean up
run: |
/bin/rm -rf web/gradle.lockfile